Super Nuclear Worm Invades Kazakhstan

Thursday, September 30, 2010

After reading so much hype concerning Stuxnet, I decided it was time to separate fact from fiction. With all due respects to the analysts and “experts” in this subject matter, I figured it was time to add my two cents to the pool coming from a “hacker’s” perspective.

For the record, I’ve been professionally employed in the security arena since circa 1998 where my first “security based title” was a security engineer for Register.com which back when I worked there wasn’t a publicly traded company and had under 30 employees.

Prior to my “professional” title, I had been involved with computing since 1991 where I began working at back then – Chemical Bank – where I specialized in a few roles with my exiting role assisting with fraud investigations under the “Accounts Reconciliation Department” at 55 Water Street, NYC. This gives me 19 years professional experience with the vast majority involved in security in almost all capacities.

Currently I worked at a Managed Services Provider where I create a variety of Managed Security Services and again – my role is very broad. I could be performing CSO functions one day, performing incident response and forensics the next followed by penetration testing, risk assessments, information security management, VoIP engineering, administration and design to name a few.

My days are never dull, they’re never the same and I enjoy being able to dabble in enough different technology arenas including Digital Signage, Video Conferencing and the list goes on. With a brief bio out of the way, I’d also like to state that I have quite a few high level technical certifications (C|EH, CHFI, CPT, OSCP, etc., etc.), have been referenced in a few security related books and have been fortunate enough to collaborate with and have discussions with the heaviest hitters in the security industry.

When I first heard about Stuxnet, it made me shrug my shoulders just as much as I shrugged when hearing about Aurora – the “(un)Advanced Persistent Threat.” Outside from all the hype, the entire concept of “Stuxnet” being a “highly weaponized targeted” threat is way out of tune with reality.

From everything I have read so far, everyone seems to be repeating what everyone else is repeating! Who’s on first, what’s on second? In my honest “expert” opinion, there are a lot of confused, underclued and biased individuals looking at this from a biased and distorted perspective. One filled with fantasy, hype, illogical and bizarre points of view. Some should even write creative fiction books on Stuxnet for crying out loud.

Let’s start at the top of the food chain with what everyone is rambling about: “An unknown rogue party or individual created a high level sophisticated attacked aimed at Iran’s Nuclear facilities.” “The party created a zero day USB key that infected these facilities and is now entrenched in Iran’s nuclear SCADA systems.”

Sounds so “Bourne Identity’ish” if you ask me, maybe we could get Hollywood in on the action right after Symantec, McAfee and others. Here is how, without getting into gory technical details, this plan fails with a capital ph (phails as in phreaker as in trying to remain hip.)

Sponsor – sitting in a room with a swaying light bulb over a desk. He smokes a cigarettes taking slow ‘drags’ of his cigarette. The orange light flaring from his cigarette. “We need to decapitate their nuclear facilities.” As the rogue hacker sits listening he immediately blurts out “I have a plan!” “We will build USB switchblades [1], deploy them to Iran. They in turn will pick them up in awe, wonder what is on them and plug them into these machines in the nuclear facility and it is game over.” “Cut” yells the Hollywood director. Shocking!, Thrilling!, Amazing!, Academy Award Winning!

Even a Hollywood director would know the implausibility of such an insane “cock-a-manie” story. A good Hollywood director would throw out the script or consult with real-world hackers to see how they can make it seem more realistic. For starters we have a sponsor who is dishing out money searching for a foot in the door. Depending on which security ‘expert’ is trying to ramp up their name at the moment there are a lot of plain old dumb comments: “We’re talking man-months, if not years, of coding to make it work the way it did.”

So far we have the following:

1) Potential sponsor pays to create a weaponized software aimed to infect a nuclear facility or Potential rogue coder devotes “man months if not years” to infect a nuclear facility 2) Attacker chooses to use the USB attack vector to deploy his payload

Let’s stop here for a moment and analyze two points of view, the first of the sponsor and the second of an attacker. As a sponsor, someone whose invested money, someone who may have to answer a lot of questions if discovered, I have to assume that my hired-gun hacker pulls this off without leaving a trace.

Not only do I have to worry that he can pull this off, I have to assume that his method of choice for delivery will work – a USB key. Thinking of a nuclear facility, I’d have to assume that my hired-gun even after he creates his switchblade, is capable of getting it deliver overseas, to a nuclear facility site, undetected, have someone discover the USB key and plug it into a system which may not even be on a network. This is an unacceptable risk and outright waste of money, but I’ll work with it.

From the hired-gun hacker’s perspective, I need to use multiple “zero days” to compromise my target. Because a switchblade isn’t enough, I have to load it up with these zero day attacks so that in the event that one potentially fails, a failover attack finishes up the job. For this I will use the most common and reliable exploits I can think of.

I need to be discreet. Again, depending on which expert is in fashion – the explanation given by most at this point makes little sense and if analyzed piece-meal crumble: “”Stuxnet is unusually large at half a megabyte in size, and written in different programming languages (including C and C++) which is also irregular for malware.”" [3]

What have we heard so far from the experts? A (possible) sponsor, a hacker, delivery via the USB attacker vector. So we are told to believe that someone traveled to Iran, a USB switchblade was deployed, an Iranian picked up this USB key, plugged it into some computer and triggered an event. Yet this hacker created a bloated worm based on a variety of code which is “unusual.” Does anyone see thus far why the whole story is rooted with problems so far?

There is a lot of speculation and opinions as to how Stuxnet managed to get onto nuclear machines so here is a more plausible one. An attacker manages to compromise a machine and while on the machine they stumble upon an application they’ve never seen before. Doing reconnaissance of the application they discover it is related to SCADA controls.

They begin working on a method to determine what it does, how it does it, how it operates from the ground up. Attacker cobbles together botnet and malware code. Because the codes is based on P2P structure, the hacker can modify his/her payloads to change parameters of how the malware operates.

At the beginning, the initial application was unusually small and while additional capabilities were added, the program grew in size. Investigators ONLY discovered it during this large size (bloated) phase. Investigators and analysts are now confused. Hollywood tall-tale stories ensue.

Shifting away from Stuxnet for a moment, let’s talk about botnets. Why and how many remain so threatening and difficult to detect. Beginning with the sizing, botnet programmers and attackers have the attack vectors down to a science. Many will deliver small payloads which then go out and make modifications as needed.

They will often use chained exploits to get their foot in the door and keep their hooks in place. It makes more practical sense as an attacker to have as small as payload as possible and this is because as an attacker, one wants to make as fast an impact in a short amount of time as possible.

It is easier and more reliable to send small snippets of code to get the initial attack vector off the ground and avoid potential detection. ESPECIALLY with a high value target. From there on, once the initial compromise is off the ground, sky is the limit. The risk is much smaller and rewards much greater.

Forget about common sense, logical reasoning and common (hacker) sense though, let’s go back to “The Fabulous Mr. Stuxnet” and the hype. We already stated we have a potential sponsor, a hacker, an application, a target. How does common sense factor into “littering the area around this nuclear facility with USB keys” make sense. There is a lot of assumption.

One “assumes” there are USB ports on the machines in this facility and also assumes they can autorun software off of a USB, but let’s play along and assume there are ports and we can autorun software and magically – we will strike gold and an admin will walk up to a nuclear facing SCADA machine and run this USB key.

One then assumes that the there are certain services running and NOT running on these machines. E.g., egress filtering firewall, UPnP, etc. in fact one assumes the target is networked in a method capable of connecting from the outside world back into the nuclear facility. Still see the gaping holes with this theory? Let’s still follow through with the story.

I as a hacker need to create malware that compromises a specific machine. To do so I choose a four 0-day payloads and a worm based mechanism to spread everywhere in order to get to a specific machine. I need to ensure the following occurs:

1) I deliver this USB key to a nuclear facility in or around Iran. For this to work, I can forge the “Siemens” logo and either make a legit looking CDROM or a get a “hi-rez” rubdown transfer and affix it to the USB key to make it look legit.

2) I need someone to insert that USB at any machine in the facility so that my worm can spread to a “specific” machine of which I created a “specific” payload to affect a “specific” piece of software in that facility.

3) I need to do this covertly and I need to do it so that I can come and go undetected. This means I have to assume that the target has some form of network based connectivity. I have to assume that there is no form of network and or security monitoring or filtering. After all, if they have a firewall on that device blocking all egress traffic, all my work would be in vain.

Still don’t see problems with this theory? What about the glaring fact that one of the exploits used in Stuxnet bluescreens Windows machines [4]. Do you think that would be a sensible exploit to use. That in itself would be a gaping no-no from an attacker perspective. My take on it is one of two more plausible scenarios.

1) The insider. Someone with specific knowledge of the facility, knowledge of the software used in the facility, with direct physical access deployed it. This theory gets shot down because if the machine was networked, it would have made more sense to just download it as opposed to inserting a USB key.

2) The uberhackermonster. The uberhackermonster stumbled upon this system/network, discovered unusual software, found a method to try and backdoor the machine to always retain access. This theory is more plausible and conforming for a few reasons.

a) I quote: “Stuxnet is unusually large at half a megabyte in size, and written in different programming languages (including C and C++) which is also irregular for malware” This to me means someone didn’t have as much of a focus as one thought. They chopped together this malware on other code available.

The bulky size of it shows the immaturity and unprofessionalism of the hacker. Botnet operators, creators, programmers, etc., use small bits of code to deliver staged exploits. Why put all your eggs in one basket?

Anyhow, this has been a long rambling as is so I will leave it at that. There is far too much Hollywood’ism going on right now and I don’t have the budget to compete with AV vendors, nor the expertise to compete with “SCADA Experts” who know these systems inside and out.

I’m solely an experienced penetration tester slash security engineer slash hacker slash insert_other_titles_here who would have done things different. I’m someone who tries to think outside of the box offering a realistic and logical view of why this entire Stuxnet “diatribe” being written about by countless experts (including me!)

Tom Coats
This reminds me of the Bill Gates story back in the mid eighties. He would walk around looking over the shoulders of his programmers and ask them how long it took them to code something and then comment he could have done it in half the time.

The thing that facinates me about stuxnet is that it took advantage of devices no one really thinks are worth protecting.

That it is bloatware just seems to confirm that it was a group of programmers, working separately probably on a government contract. To secret no one really knowing what the end goal is.